Security Aware Checklist for Pokémon GO: How to Catch ‘Em All Safely

Mere weeks after its launch, you would be hard pressed to find someone with access to the internet or social media who hasn’t heard of the latest app trend sweeping across 30 countries worldwide: Pokémon GO. Boasting more daily users than Twitter and higher engagement rates per day than Instagram, Snapchat, or Whatsapp with more than an hour daily spent within the app – an unheard of feat for a gaming app – it’s (unofficially) considered the most successful mobile app to date.

But we here at SAC view all things cyber with a healthy dose of wary skepticism, especially when it comes to the mobile domain. While we fully support anyone who wants to “catch ’em all” (we even have a few trainers on-staff!), we ask that you take the following precautionary steps before stepping out into the wild.

Download the official Pokémon GO app (from Niantic) from the Google Play or Apple App Stores.

EDIT: PokéVision is a third party map plugin that makes it easier to determine exactly where specific Pokémon will be spawning and for how long. There’s a bit of debate going on about whether it’s cheating and a quick way to make the game boring, or if its advantages outweigh any downsides. Some say that it helps in planning excursions, letting you head in the best direction for the greatest haul of Pokémon and get around the “three step” bug that drives everyone mad. Since you can enter an address to scan, you can also leave your GPS off until you arrive at that location (which means no geotagging along the route!). But there’s a bigger risk involved: since it runs on Niantic API, it’s possible the developers could block it for giving players an unfair advantage, or block your account if they discover you’ve been using it. Currently there’s no app for PokéVision, but it can be used in a mobile browser.

There are several reasons that it’s important for you to regularly patch the OS and any apps you’ve downloaded. Hackers are very good at finding holes in the framework that the developers didn’t foresee. Sometimes an update is released to combat a spreading threat or to mitigate one from happening, but either way it’s common sense that you would want to fix it.

Apps also experience bugs that the developers didn’t anticipate, or features that users find disagreeable. In the case of Pokémon GO, the iOS version originally gave the app the ability to see and modify full details of your Google account and its credentials. Once users discovered this and were (rightly) outraged, Niantic issued a statement saying they had patched the security holes.

The app uses Google accounts for authentication purposes and tracking, so if you’d like to put some distance between your true personal life and possible security risks, we recommend creating a “throwaway” account completely unrelated to you. It would be better still to create a Pokémon Trainers Club account even though this might prove to be a difficult and tedious process; the servers couldn’t handle the number of people wanting to sign up and they were forced to place a restriction on the number of people who could create an account each day.

If your organization uses Google apps, never use your professional work account for Pokémon GO or any other games!

Use a trainer name that isn’t associated with your name or known aliases.

At the moment, players are unable to see one another within the game or any information about others playing around them, but this functionality may be added in the future, and it’s better to err on the side of caution. There are already two exceptions: users can see the reigning trainer name and their Pokémon’s names at gyms, as well as the names of trainers who place lures at Pokéstops. Just think… do you want something personally identifiable to be seen by random strangers or worse, criminal hackers? If you’ve already named your trainer, no fear: you can still change it by a request to support.

Use common sense. Don’t get so sucked into the game world that you forget to pay attention to the world around you! Always travel with a buddy or remain in your vehicle with the doors locked when visiting gyms and Pokéstops. Remember that often you can interact with these places from a distance.

Stay alert to your physical surroundings. Look up from your screen while moving. Never drive while playing.

Even though many aspects of the game require you to pay attention to what’s happening on the screen, you should not do this while moving. Look up!

Pay close attention to what’s in the frame during a capture when using augmented reality (AR).

Although you may be excited about the cool new Pokémon you just encountered, take an extra second to note what’s in the foreground and background of the frame. Never photograph or share screenshots that include reflective surfaces, personally identifiable information (faces, vehicle license plates), or location markers (street signs, notable buildings and landmarks, your house). Also be aware that the location coordinates where the picture was taken are likely embedded in the picture’s metadata!

It’s best to turn AR off when playing Pokémon GO at work or around your home! To turn AR off, click on the Pokémon you want to catch, then click the switch labeled “AR” in the top righthand corner of the screen. All this does is take away the surroundings shown through your camera and replace them with an animated grass backdrop; it also makes the Pokémon easier to capture!

Know that the app currently has an infamously shady 20-page long Privacy Policy.

When you accept the privacy policy attached to Pokémon GO, you are basically giving Niantic the right to do whatever they wish with the data they’ve collected from you, which includes a wealth of location data taken from geotagging. They can turn it over to law enforcement or sell it to whomever they wish. They can share it with third parties who “may not have agreed to abide by the terms of this Privacy Policy” or store it off-shore in foreign data centers that may have different (read: lax) privacy laws.

But if you take each of the items above seriously, you can be assured that in the likely event of an attack, you’ll be much safer than the users who were careless and any damage to you will be greatly minimized. Simple common sense and informed awareness can assure that your experience remains positive.

Kayley manages our growing footprint on the web and develops marketing strategies to both keep us current & help us reach more people who might benefit from our message. A professionally trained artist and verifiable “weird girl,” she has 5 pet-children, cooks unbelievably good food, and can out-lift you at the gym.

One Comment

This design is incredible! You most certainly know how to keep a reader entertained. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Great job. I really enjoyed what you had to say, and more than that, h…